The “WannaCry” cyber-attack that hit more than 150 countries since Friday has been stopped, largely thanks to an anonymous cybersecurity researcher. But that doesn’t mean that your data’s safe—and it doesn’t mean that similar methods couldn’t be used again.
Dr. Shaji Khan helped design the cybersecurity programs at University of Missouri–St. Louis, where he works as an assistant professor of Information Systems. The attack was what he calls “the classic mixup of all the bad things that could happen.” It exploited a latent problem with Windows software, then transmitted a “ransomware” between computers on the same network.
Get a fresh take on the day’s top news
Subscribe to the St. Louis Daily newsletter for a smart, succinct guide to local news from award-winning journalists Sarah Fenske and Ryan Krull.
The malware, which may have been based on an exploit released by a group calling themselves Shadow Brokers, affected older Windows computers that hadn’t downloaded a patch previously released to fix the problem, as well as some machines too old to be supported by current updates. (Windows 10 machines were safe.) It encrypted files—essentially stealing them—and would not decrypt them unless the user paid $300 within a specific timeframe. The amount increased as time passed, and eventually, the files were irretrievable.
But it didn’t stop with a mistakenly downloaded attachment. “What’s dangerous or scary about this particular one is that it spreads,” Khan says. Soon, entire companies were hit, even if the computer user didn’t personally trigger the malware.
Below, Khan discusses what you need to know, and how to protect your data in the future. Khan’s cybersecurity program also offers online resources and IT security advice.
Could St. Louisans or St. Louis–based companies potentially be affected by a ransomware attack like this? I haven’t heard of reports for St. Louis per se, but it’s very possible that St. Louis companies could be affected. In fact, it’s a very real threat.
So the attack has been stopped, but there’s still potential consequences? Absolutely. This particular variant was stopped by a researcher in the U.K. in collaboration with another one. But this is barely over. It’s easy for somebody to take that same code and remove that kill-switch [a “stop button” that researcher MalwareTech discovered embedded in the code] and release a copycat version. This is not over yet.
Is there anything else people can do or avoid on the internet to avoid getting a similar virus?
- Always keep your software updated.
- Always have an anti-virus and firewall on your machine.
- Take regular backups.
- Be generally aware of where you click.
This is the bare minimum that you could do. But these very, very basic things will go a long way towards keeping you safe. Microsoft also has a more detailed overview and steps to take for Windows users. It comes with a bit of “selling” from Microsoft, but I don’t see anything wrong with the advice. For business users, Sophos has a good list.
The regular stuff of being vigilant of opening attachments in emails, avoiding really suspicious sites… Just being vigilant overall and not running any files that you’re not sure came from a legitimate source. The simplest thing to do for any attack is always have your machine fully updated and always have backups. If you had a good backup of all your files, you could essentially erase your computer and recover from backup. This is why backups are so important.
If it happened again, could it potentially be much worse? Or does the success with stopping it the first time bode well? That’s hard to pin down. Philosophically, what’s happening here is the classic intersection of all the bad things at the same time. There was a vulnerability in Windows software. Apparently the NSA had been sitting on that vulnerability; they knew about it, and they knew how to exploit that vulnerability. But they didn’t follow protocol and let Microsoft know about it. So they’ve been sitting on it.
That exploit got released by some hackers. Now this cyber weapon, so to speak, has been sitting with the NSA and got released into the wild. Somehow, somebody was able to marry that exploit with a classic ransomware attack. Now, instead of just attacking one machine at a time, it is spreading across networks.
The perfect defenses against something like this: Microsoft apparently released a patch for this in March, and the simplest thing would’ve been that everybody updated as soon as the patch was released. But now you see, just looking at the sheer numbers of machines affected around the world and at big organizations, you know that they were not patched.
That’s the classic dilemma. All you have to do is update your machine, and you will be safe. But big organizations failed to update patches. So that’s the biggest lesson from all this: keep our machines updated.
With the main exploit theoretically fixed, are there more exploits to be found? As we say in cybersecurity, there is no such thing as absolute security. A software developed by human beings. It’s going to be vulnerable; it will not be perfect. As long as we have software, as long as people are developing code, we will likely have vulnerabilities. If someone is motivated enough, they will look for those vulnerabilities and try to exploit them. It’s not going away anytime soon.
Khan also recommends looking to the Federal Bureau of Investigation both for reporting and preventing cyber crimes. The Russian anti-virus company Kaspersky also organizes resources for victims of ransomware.
Editor’s note: This story has been updated to clarify the role of the Shadow Brokers and the type of software.
